Fortinet black logo

SD-WAN Architecture for Enterprise

Home FortiGate / FortiOS 7.0.0 SD-WAN Architecture for Enterprise

Traffic flow

7.0.0
7.2.0
7.0.0
Copy Link
Copy Doc ID 7030e0d2-4287-11ec-bdf2-fa163e15d75b:626676
Download PDF

Traffic flow

Once all the routes have been distributed across all the sites, the application traffic flow can be controlled by SD-WAN rules according to the design principles described in the previous chapter. SD-WAN rules may dictate how traffic is steered based on the business requirement and desired redundancy.

  • Direct internet access (DIA): used when local internet breakout at a location is required. In this scenario, the business application(s), such as a SaaS application or website, is located on the internet, and the SD-WAN appliance is needed to decide the best path between multiple WAN links.

    Traffic is routed directly to the internet by using the preferred method in the SD-WAN rule.

  • Branch to datacenter: used when branch users require connectivity to an application or workload that is located behind the gateway in the datacenter. The branch SD-WAN device should monitor all available overlay links, and choose the best path according the business requirement.

  • Branch to Branch: used when branch-to-branch communication is required. Traffic can flow through the SD-WAN gateway or dynamically between branch locations by means of ADVPN. Auto Discovery VPN, or ADVPN, is made possible by the SD-WAN gateway providing the routing and IPsec information to the branch where the first request originates. In this case, only the first few packets will flow through the hub, until an ADVPN shortcut is built.

  • Remote internet access (RIA): used when internet traffic from the branch is backhauled to the gateway for inspection and external breakout. RIA is typically used when a private link (such as MPLS) to the gateway is available as an alternative path to the internet for branch locations. In situations where the local internet degrades, traffic can be backhauled through the private link and broken out at the Gateway.

    Another use for RIA exists where security inspection is required for internet traffic. For locations where local security inspection is not possible, traffic can be offloaded to the SD-WAN gateway and inspected before being sent to its destination.

Previous
Next

Traffic flow

Once all the routes have been distributed across all the sites, the application traffic flow can be controlled by SD-WAN rules according to the design principles described in the previous chapter. SD-WAN rules may dictate how traffic is steered based on the business requirement and desired redundancy.

  • Direct internet access (DIA): used when local internet breakout at a location is required. In this scenario, the business application(s), such as a SaaS application or website, is located on the internet, and the SD-WAN appliance is needed to decide the best path between multiple WAN links.

    Traffic is routed directly to the internet by using the preferred method in the SD-WAN rule.

  • Branch to datacenter: used when branch users require connectivity to an application or workload that is located behind the gateway in the datacenter. The branch SD-WAN device should monitor all available overlay links, and choose the best path according the business requirement.

  • Branch to Branch: used when branch-to-branch communication is required. Traffic can flow through the SD-WAN gateway or dynamically between branch locations by means of ADVPN. Auto Discovery VPN, or ADVPN, is made possible by the SD-WAN gateway providing the routing and IPsec information to the branch where the first request originates. In this case, only the first few packets will flow through the hub, until an ADVPN shortcut is built.

  • Remote internet access (RIA): used when internet traffic from the branch is backhauled to the gateway for inspection and external breakout. RIA is typically used when a private link (such as MPLS) to the gateway is available as an alternative path to the internet for branch locations. In situations where the local internet degrades, traffic can be backhauled through the private link and broken out at the Gateway.

    Another use for RIA exists where security inspection is required for internet traffic. For locations where local security inspection is not possible, traffic can be offloaded to the SD-WAN gateway and inspected before being sent to its destination.

Previous
Next